Hardware and Software Requirements

Before deploying LCE, confirm that the prerequisite software and hardware requirements have been met and that you have an operational instance of SecurityCenter. Depending on the size of your organization and the way you deploy LCE, the hardware requirements for LCE change. All deployments have a common set of minimum software requirements.

Caution: If you have used a previous version of LCE and are upgrading, note that in order to utilize LCE 5.0, your system will require about twice the previous minimum disk space, and about 33% more computing power and RAM. It is not recommended that you upgrade a system that is already operating at maximum capacity while utilizing an older version of LCE.

Additionally, while LCE is active, it requires exclusive access to certain ports. The only services that are required to support remote users are SSH and the LCE interface (lce_wwd). If other services are active on the system, conflicts should be avoided on the following default ports:

Port

Description

UDP

162

SNMP

514

Syslog messages

TCP

601

Reliable syslog service messages

1243

Vulnerability detection (if enabled in SecurityCenter)

6514

Encrypted TCP syslog messages

8836

LCE interface

31300

LCE Clients

Caution: The system running the LCE can operate a syslog daemon, but the syslog daemon must not be listening on the same port(s) that the LCE server is listening on.

Hardware Requirements

The hardware requirements for LCE change based on the number of events being processed.

Estimating Events

The following table provides the estimated average number of events from various sources.

Devices

Number of Estimated Events

1 workstation/laptop

0.5 events/sec

1 web-facing app server

20 events/sec

1 web-facing firewall/IDS/IPS

75 events/sec

1 internal application server (low volume)

5 events/sec

1 internal application server (high volume: IIS, Exchange, AD)

20 events/sec

1 internal network device

2 events/sec

To convert your event rate to bytes per day, Tenable recommends that you multiply your total events/second by 250 bytes/event and multiply by 86,400 seconds/day.

Tip:

You can use the following calculator to determine the total number of events per second as well as the bytes per day.

Workstations

Web-facing Application Servers

Web-facing Firewalls/IDS/IPS

Internal Application Servers (low volume)

Internal Application Servers (high volume: IIS, Exchange, AD)

Internal Network Devices

events/second * 250 bytes/event * 86,400 second/day = 0 bytes/day

System Specification

The following table specifies the system requirements based on the number of events the LCE server is processing.

Installation scenario

RAM

Processor

Hard disk

Hard disk space

One LCE server with Elasticsearch processing less than 5,000 events per second

One LCE server with Elasticsearch processing between 5,000 and 20,000 events per second

32 GB

64-bit, 16 cores

One LCE server with Elasticsearch processing greater than 20,000 events per second

64 GB or more

64-bit, 24 cores or more

Note: To query an archived Elasticsearch database, it will need to be restored. The recommended hard disk space does not include optional archiving of logs that exceed the licensed limit.

The LCE server requires a minimum of 20 GB of storage space to continue running and storing logs. If less than 1 GB is available, the Log Engine (lced) process will stop gracefully and refuse to store additional logs. The current system disk space is visible on the Health and Status page of the LCE interface.

Licenses

LCE servers are licensed to the specific hostname of the system it is to be installed on. There is no licensed limit to the number of events or IPs that the LCE can be configured to monitor.

There are different licenses available for the LCE based on the total amount of storage used by the LCE. The licenses are based on 1 TB, 5 TB, and 10 TB storage sizes. A license for LCE is provided as a part of SecurityCenter Continuous View. There is no difference in the LCE software that is installed, just the maximum storage size that can be used by the LCE. The size limit of the Elasticsearch databases can be configured via the LCE interface. Data that exceeds your license limit will be archived.